G'Day team,
We have been using Crowd (stand alone server mode) for quite a while. We have an existing Directory with a population of about 300+ users. We are days away from enabling the following Crowd Directory parameters against this existing directory:
- Password Regex
- Max password attempts
- Password expiry
- Password history count
I would like to get confirmation that my understanding of the parameters AND rule to come into effect is correct. This is critical for us as we will base our end users communication on this understanding.
1. Password regex: password setup policy that will come into effect in 2 cases: new user setup and password reset/change
2. Max password attempts: when entering an active account password, max number of tries before the account is flagged with attribute requiresPasswordChange = true.
The account remains active.
No specific notification or communication is given to the user about the fact that his account password must be changed
3. Password expiry: time frequency at which an active account password must be changed.
The countdown starts either from the new account setup or last login time.
At expiry time, the account is flagged with attribute requiresPasswordChange = true.
The account remains active.
No specific notification or communication is given to the user about the fact that his account password must be changed
4. Password history count: number of former passwords disallowed when resetting/changing password
What is critical for me is to get your review and feedback on points 1., 2. and 3.
Are all my statements correct ?
Many thanks for your review and reply.
Cheers, Fred
Hi Fred,
Thanks for the detailed question. Here is the article I am basing my answers on: Configuring an Internal Directory
For 1, Password Regex is the regex pattern which new passwords will be validated against. That would apply to resetting passwords as well. So your statement is accurate.
2- Maximum Invalid Password Attempts: The maximum number of invalid password attempts before the authenticating account will be disabled. The account will not remain active as in your statement.
3- Password expiry is not a feature in Crowd exactly but we do have "Maximum Unchanged Password Days" which is the number of days until the password must be changed.
4- Password History Count does work as you stated: it is the number of previous passwords to prevent the user from using.
I look forward to any follow up questions.
Thanks,
Ann
Hi Ann,
Many thanks for replying to my post !
Points 1- and 4- : we're on the same page, so that's great.
Point 2- : if you test this very parameter, you will see that the actual user account is not disabled (i.e. the user details' Active check box remains ticked ON) but only the user's "requiresPasswordChange" attribute value changes from False to True.
Hence, my question about: is that the expected behaviour?
Point 3- : can you also confirm the following behaviours?
The countdown starts either from the new account setup or last login time.
At expiry time, the account is flagged with attribute requiresPasswordChange = true.
The account remains active.
No specific notification or communication is given to the user about the fact that his account password must be changed
I am really thorough here as the behaviours are different from other Active Directory applications and therefore I must be precise in my communications to the end user base.
Many thanks in advance for your feedback,
Fred
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.